If you use online or mobile banking, you may be interested to know six federal regulators teamed up recently to make your accounts more secure. New rules from the Federal Financial Institutions Examination Council (FFIEC) require banks to take extra steps to make sure that the person signing into your account is actually you.
The rules require banks to apply the same anti-fraud measures used for bank websites to mobile devices. They also include surprisingly frank descriptions of the big risks inherent to any mobile or online bank transaction.
The guidance “really raises the bar in terms of the expectations regulators have for banks in terms of protecting consumers and businesses from fraud,” says Jeff Kopchik, senior policy analyst in the risk management division of the FDIC. You can see the new guidelines here.
The FFIEC is an obscure little agency with a big job: Making sure that rules passed by all federal bank regulators on important topics like credit cards, mortgages and other financial products all mesh with one another. In this case, six different agencies that monitor banks, credit unions, Wall Street investment houses and other financial institutions all have their own requirements to protect consumers from fraud.
The council’s ruling sets the floor for all the other agencies’ rules. It updates rules first created in 2005 to regulate online transactions, requiring financial institutions to regularly review and update their fraud monitoring systems. It also requires banks to use multiple methods to verify account holders’ identities in high-risk transactions.
What’s eye-opening here is the council’s definition of a high-risk transaction: “i.e., electronic transactions involving access to customer information or the movement of funds to other parties.”
Did you catch that? By the regulators’ standard, every single online or mobile transaction poses a high risk of fraud, since every one requires access to customer information.
The regulators also confirm something that we at Credit.com have been pointing out for years: If important information is being exchanged, someone will figure out a way to steal it.
“Since virtually every authentication technique can be compromised, financial institutions should not rely solely on any single control for authorizing high risk transactions, but rather institute a system of layered security,” according to the rules.
Under the new guidelines, banks can no longer rely on their old way of authenticating account holders’ identities, which rely primarily on matching a user’s name and password to a cookie on their computer that recognizes them as a bank customer.
“In the last six years, hackers have figured out how to completely subvert that,” Kopchik says.
Instead, banks will have to employ layers of identity authentication at different steps of the online and mobile banking process. Customers will have to follow one process to log in, and then give additional information to authorize funds transfers and other risky transactions.
On the back-end, the new rules require banks to look for anomalies that could indicate fraud. For example, that could mean flagging a transaction in which a customer who normally pays $10,000 a month to five different vendors suddenly pays $100,000 to a completely new vendor. Banks would be required to have some system in place to make sure that account has not been taken over, something credit card companies have been doing on their own for years, Kopchik says.
Moving forward, the council will continue to study new technology and ways that hackers and identity thieves can manipulate it. Which means banks and consumers can probably expect a new round of security rules in the next few years.
“Six years is an eternity” in the world of anti-fraud technology, Kopchik says.
Image: Serhat Demir, via Flickr